From 9b0c8ced9c71a86f68d3e29693979dad6da3b79d Mon Sep 17 00:00:00 2001 From: Wilco Dijkstra Date: Mon, 31 Mar 2025 11:44:02 +0000 Subject: [PATCH] malloc: Improve free checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The checks on size can be merged and use __builtin_add_overflow. Since tcache only handles small sizes (and rejects sizes < MINSIZE), delay this check until after tcache. Reviewed-by: Adhemerval Zanella  --- malloc/malloc.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/malloc/malloc.c b/malloc/malloc.c index e827875acc..19b6cfafa0 100644 --- a/malloc/malloc.c +++ b/malloc/malloc.c @@ -3468,16 +3468,8 @@ __libc_free (void *mem) INTERNAL_SIZE_T size = chunksize (p); - /* Little security check which won't hurt performance: the - allocator never wraps around at the end of the address space. - Therefore we can exclude some size values which might appear - here by accident or by "design" from some intruder. */ - if (__glibc_unlikely ((uintptr_t) p > (uintptr_t) -size - || misaligned_chunk (p))) + if (__glibc_unlikely (misaligned_chunk (p))) malloc_printerr ("free(): invalid pointer"); - /* We know that each chunk is at least MINSIZE bytes. */ - if (__glibc_unlikely (size < MINSIZE)) - malloc_printerr ("free(): invalid size"); check_inuse_chunk (arena_for_chunk (p), p); @@ -3486,6 +3478,11 @@ __libc_free (void *mem) return; #endif + /* Check size >= MINSIZE and p + size does not overflow. */ + if (__glibc_unlikely (__builtin_add_overflow_p ((uintptr_t) p, size - MINSIZE, + (uintptr_t) 0))) + malloc_printerr ("free(): invalid size"); + _int_free_chunk (arena_for_chunk (p), p, size, 0); } libc_hidden_def (__libc_free)